7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
1/25
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
2/25
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman
Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
3/25
Core Principles
1. The Internet Changes Everything2. Cyber Security is not an "IT" issue3. Government and industry must
rethink and evolve new roles,
responsibilities and practices to
create a sustainable system of cyber
security
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
4/25
ISAlliance Mission
Statement
ISA seeks to integrate advancements in
technology with pragmatic business needs andenlightened public policy to create a
sustainable system of cyber security.
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
5/25
The Economy is reliant on theInternet
The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong
security leadership for that trust to berestored. For the Internet to remain the
juggernaut of commerce and productivity it
has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
6/25
CURRENT ECONOMIC INCENTIVESFAVOR ATTACKERS
Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous ($ 1
TRILLION in 08)
Defense is costly (Usually no ROI) Defense is often futile
Costs of Attacks are distributed
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
7/25
The need to understand business economics toaddress cyber issues
If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the
value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
8/25
Financial Management of Cyber Risk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risksand potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
9/25
Senior Exec do ARE NOTanalyzing Cyber Risk adequately
There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT
security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the
governance of enterprise security. (2008Carnegie Mellon University CyLabGovernance of enterprise Security Survey)
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
10/25
Communication Across Corp.structures is inadequate
Intra company communication on privacyand security risks was lacking. Only 17%of respondents indicated they had a cross
organizational privacy/security team.
Less than half had a formal enterprise riskmanagement plan. (47%)
1/3 of those with a plan did not include IT-related risks in the plan.--- (CMU 2008)
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
11/25
Financial Impact of Cyber RiskOctober, 2008
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
12/25
The Economic Assessment ofCyber Security: 50 ?s for CFOs
Business Operations General Counsel Compliance Officer Media (Investors and
PR)
Human Resources Rick Manager/
Insurance
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
13/25
Calculate Net Financial Risk
Threat (frequency of risk event/probablynumber of events per year) X
Consequence (Severity of risk event/possible loss form event) X
Vulnerability (likelihood or % of damages/given mitigation actions) MINUS
Risk Transferred (e.g. insurance) = NET FINANCIAL RISK
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
14/25
Sample Questions: Legal
Analyzed liabilities? What legal rules apply to us or 3-parties? Vulnerable class action/shareholder suits? Leg Exposure to Gov investigations? Do our contracts protect us enough? Multi-state laws apply? Exposed to trade secrete theft?
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
15/25
Sample Questions: Compliance
Inventory of applicable regulations? Where is our regulated data? Valid reasons for holding all our data? Policies & procedures documented? Can we opt-out of reg requirements?Are we tracking compliance?Are we reviewing and updating privacy
compliance?
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
16/25
Sample Questions: BusinessOperations
Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure vendors? How often to we re-evaluate risks?
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
17/25
Sample Questions: HumanResources
Does everyone understand our $ Risk?Attract/retain the right personnel?Are we managing the human vulnerability? Is the org structured for team work?Audit network access (esp at termination)?Address soc. Networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
18/25
Sample Questions: Media/CrisisManagement Team
Do we have segmented responses for allstakeholders?
Documented crisis communication plan? Identified and trained all who need to be? Have the external contacts we need? Have we run a mock trial?Are we budgeted for a crisis?
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
19/25
Sample Questions: Risk Manger/Insurance
Are we insured for this? (probably no) What can we get insurance for? What is the D & O Exposure? Where can we find cyber insurance and
what does it cover (& doesnt it cover)?
Whats the cost benefit to insurance? How do we evaluate policies?
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
20/25
Releasing the Cyber Security Social ContractNovember, 2008
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
21/25
ISA Cyber Social Contract
Similar to the agreement that ledto public utility infrastructuredissemination in 20th C
Infrastructure develop -- marketincentives Consumer protection throughregulation
Gov role is more creativehardermotivate, not mandate,compliance
Industry role is to developpractices and standards andimplement them
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
22/25
ISA Model: Create a Market forBest Practices and Standards
Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards
Priv Sector should continue to developstandards, practices technologies
Govt. test them for effectiveness Govt. should motivate adoption via sliding
scale of market incentives
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
23/25
President Obamas Report onCyber Security (May 30 2009)
The United States faces the dual challenge ofmaintaining an environment that promotesefficiency, innovation, economic prosperity,and free trade while also promoting safety,security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review pageiii)
Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
24/25
President Obamas Report on CyberSecurity (May 30, 2009)
The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to
liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v
Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress
7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI
25/25
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202 236 0001
Top Related